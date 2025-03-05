Internal zones can contain the same DNS record types that Cloudflare supports for public zones.
An internal zone can have the same name as a public zone in the same account.
Each internal zone can be linked to multiple views.
There can be several internal zones with the same name in one account. However, two internal zones with the same name cannot be linked to the same view.
Internal zones are not subject to any top-level domain (TLD) restrictions. This means that an internal zone can be created if its TLD is not registered publicly (for example, xyz.local), if it is created on the TLD itself (local), or even if on the root (.).
Add DNS records to your internal zone using your preferred option:
Repeat this process for each internal zone you wish to add.
(Optional) Reference a zone from another zone
Use the Update DNS settings endpoint to add a reference from an internal zone to another internal zone. In --data, specify the internal_dns object with the parameter reference_zone_id. For details, refer to reference zones.
In the following example, internal zone A (ID 8a904aeb565c42cfa207d98f6edea2f3) is referencing internal zone B (ID 8e64c6fb4b514f3faf64de81efc11e51).
2. Link your internal zone to a view
Since the resolver policy will require a DNS view, you must have at least one view to be able to route requests to internal zones.
Use the Create Internal DNS View endpoint. For each view you create, list all the internal zones that should be grouped under that view.
Select Add a policy and enter a name and description.
Create an expression for the traffic you wish to route. For guidance about selectors, operators, and values, refer to Gateway.
Select Use DNS view. In the dropdown, choose the view that queries matching the expression should be sent to.
(Optional) Adjust the option to fallback through public DNS according to your use case.
Off: Gateway DNS resolver returns the response as-is to the client.
On: In case the response from the internal zone is REFUSED, NXDOMAIN, or a response with a CNAME type, Gateway DNS resolver sends the query to Cloudflare 1.1.1.1 public resolver and tries to resolve the query via public DNS.
Use the rule settings object to define resolve_dns_internally, specifying view_id and fallback option. The fallback options behave as follows:
none: Gateway DNS resolver returns the response as-is to the client.
public_dns: In case the response from the internal zone is REFUSED, NXDOMAIN, or a response with a CNAME type, Gateway DNS resolver sends the query to Cloudflare 1.1.1.1 public resolver and tries to resolve the query via public DNS.